Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Windows XP Pro broken - Help please

  1. #1
    Join Date
    Dec 2011
    Posts
    8

    Windows XP Pro broken - Help please

    Hi & thanks for doing what you do

    I have an infected Windows XP Pro (sp3) 32-bit system

    I had difficulty installing the Malwarebytes' Anti-Malware in "normal" mode
    I could start the installer but it never popped up a menu, and seemed to be just stalled... cpu was at 0%

    I started in safe mode (with networking) and the installer installed sucessfully.

    I have tried to run the prog (mbam.exe) in normal mode but nothing happens... rebooted it after 20 mins with no activity.

    I can run it in Safe mode (with networking) and it asks "The database is outdated by 44 days.... update now?"

    If I say yes
    then it says immediately "An eror has occurred. Please report this to our support team(...) PROGRAM_ERROR_UPDATING(0,0 Host not found)"

    If I say no (or ok to the error above) then I can start the scanning... which is where I am now... I guess it will take some hours

    Am I on the correct path?

    Is there maybe a "boot from CD method" which would be better to use?


    The next chapter

    The Malwarebytes scan completed after about 2 hours, (log file posted below)

    The ESET Online Scanner, and all the alternatives listed, will not run.
    They all seem to stall when trying to download their applet/addon

    The DDS script, displays the instructions and a progress bar in the form of a line of 54 "#" chars
    There it stalls. (I waited 30 mins to be sure)
    No files were created on the desktop.


    other info


    My IE version is 8.0.6001.18702

    [/B]My googlemail account:[/B]
    whenever I try to access my email account at google it stalls saying "loading <myemailaddress>@googlemail.com" (progress bar shows about 75%)
    (Account works fine when accessed from another PC)

    Virus Checker:
    I first noticed a problem when my browser (both Firefox and IE) would start, and I could enter URLs in the address bar, but they never seemed to connect to the site, got just a blank white page.
    I uninistalled my virus checker (Avg) and then I could view the web pages again.
    Now Firefox refuses to start, it is visible in the Processes list but never displays a window, and cannot be killed with an "End process".

    Starting and Stopping the PC:
    The PC will not always startup completely, 1 out of 2 times, at the point where the desktop is normally displayed, I just get a black screen and a mouse cursor, sometimes I can move the mouse cursor, most times it's just frozen.

    The PC almost never turns off properly, it gets to the "Saving your settings" message and hangs.
    A Restart usually works as far as the shutting down/reboot bit (but then can hit the startup problem)

    Malwarebytes log:

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.04.08

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Fred :: JJC [administrator]

    18/05/2012 23:44:49
    mbam-log-2012-05-18 (23-44-49).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 856332
    Time elapsed: 2 hour(s), 13 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 1
    C:\sooi832.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    Files Detected: 2
    C:\System Volume Information\_restore{6860FD64-7627-4E1E-BE52-A0ED2E28B250}\RP1024\A0968795.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
    C:\sooi832.bin\8C5E40CD3C227A8 (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    (end)

  2. #2
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    Do the following: I want you to run rkill.
    It is a tool that kills known processes that stop the use of normal anti-malware applications. Just kills known malware processes so that anti-malware programs can do their job. After running rkill DO NOT reboot the computer because the malware processes will just begin again. Once rkill has run, try to update MBA-M and run a new FULL Scan with it. Allow it to remove everything found.

    Also again after those two above try downloading and running DDS again. Post back with both logs.
    Go to this link:
    http://www.bleepingcomputer.com/download/rkill/

    Download rkill. There are Seven copies of this small file, all the same, just with different names. Take all seven of them. If one doesn't work then try the next and so on.

    If possible save them to the desktop.

    If necessary you can download them to another computer, move them to a flash drive and take them to the infected computer.

    To start, double click the rkill file with the name iExplore.exe to have it run. Now when it runs this is what will happen;
    it will display a console screen, That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

    As noted above, if the first one doesn't run then immediately try another. Keep trying until one of them runs then do the MBA-M update and Full Scan and the DDS Scan.

  3. #3
    Join Date
    Dec 2011
    Posts
    8
    Still cannot get mbam to start

    1. run rkill
    c:\rkill.log created

    It showed 1 process terminated...

    Processes terminated by Rkill or while it was running:
    C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
    Rkill completed on 20/05/2012 at 0:51:20.

    2. After running rkill DO NOT reboot the computer
    ok

    3. Once rkill has run, try to update MBA-M
    mbam.exe stalled on startup, did not manage to display a form,
    Windows Start button not responding,

    I rebooted

    You wrote: "There are Seven copies of this small file, all the same, just with different names.
    Take all seven of them. If one doesn't work then try the next and so on.
    If possible save them to the desktop."

    There was only one file available (rkill.exe) on the link you provided.
    So I made a copy and called it IExplore.exe ...same results

    I rebooted in Safe mode, uninstalled and re-installed Malwarebytes

    I rebooted normal mode, made a 3rd copy of rkill.exe called it Donaldduck.exe...
    this time rkill made all my desktop icons, and the task bar, disappear.

    In each case the rkill.log showed the same as above, and mbam refused to start, although it showed in the Task manager Processes and would not respond to an "End Process"

    I also tried the DDS.scr again and it also just stalled like mbam
    Last edited by JJCLaverda3; 05-21-2012 at 02:09 AM.

  4. #4
    Join Date
    Dec 2011
    Posts
    8
    You wrote: "There are Seven copies of this small file, all the same, just with different names.
    Take all seven of them. If one doesn't work then try the next and so on.
    If possible save them to the desktop."

    I think that the instructions are a little out of date?

    In the Malwarebytes folder there is a folder called Chameleon
    In there is a help file chameleon.chm
    This contains a menu for calling all the rkills in that folder...

    Trouble is I can't open the help file

    From your earlier clues I reckon that these are what the help menu is calling, though I can't work out in which order
    (does the order you try matter?)

    firefox (shortcut)
    firefox.com
    firefox.exe
    firefox.scr
    iexplore.exe
    mbam-chameleon (shortcut)
    mbam-chameleon.com
    mbam-chameleon.exe
    mbam-chameleon.scr
    rundll32.exe
    svchost.exe
    winlogon.exe

    I tried each in the order above, one after the other. They all show a dos box with...

    MBAM-Chameleon ver. 1.60.2
    Press any key to continue
    Installing Driver...
    Protected Path: c:\Program Files\Malwarebytes' Anti-Malware\Chameleon\


    Neither Mbam nor DDS.scr would start

  5. #5
    Join Date
    Dec 2011
    Posts
    8
    Ok now I managed to start the help file chameleon.chm

    I ran the first... it said
    MBAM-Chameleon ver. 1.60.2
    Press any key to continue
    Installing Driver...
    Protected Path: c:\Program Files\Malwarebytes' Anti-Malware\Chameleon\

    when I tried the 2nd it said...
    MBAM-Chameleon ver. 1.60.2
    Press any key to continue
    Driver already installed

    So maybe the "Installing Driver...
    Protected Path: c:\Program Files\Malwarebytes' Anti-Malware\Chameleon\"
    means it was successfull?

  6. #6
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    Now try to run the program.

    By the way, ALL of the instructions I posted yesterday were written yesterday, they are not out of date. If you had scrolled down the page on the rkill download page you would have seen all seven copies. By re-naming and re-using that ONE file all you were doing was re-using a damaged file. It would never work no matter what name you gave it because it was damaged. Delete that totally.

  7. #7
    Join Date
    Dec 2011
    Posts
    8
    Quote Originally Posted by jholland1964 View Post
    Now try to run the program.
    mbam still won't start, tried many combinations of the chameleon thing... but...

    Quote Originally Posted by jholland1964 View Post
    By the way, ALL of the instructions I posted yesterday were written yesterday, they are not out of date. If you had scrolled down the page on the rkill download page you would have seen all seven copies. By re-naming and re-using that ONE file all you were doing was re-using a damaged file. It would never work no matter what name you gave it because it was damaged. Delete that totally.
    ...oops sry!
    It was late... I was tired thanks for your patience!

    trying again.....

  8. #8
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    All the files you tried have likely been damaged by the infection and all of them must be removed. DDS, MBA-M, rkill.

    Delete DDS and rkill files.

    Remove MBA-M using this removal tool

    http://www.malwarebytes.org/mbam-clean.exe

    Then begin again, see what happens.

  9. #9
    Join Date
    Dec 2011
    Posts
    8
    Quote Originally Posted by jholland1964 View Post
    All the files you tried have likely been damaged by the infection and all of them must be removed. DDS, MBA-M, rkill.

    Delete DDS and rkill files.

    Remove MBA-M using this removal tool

    http://www.malwarebytes.org/mbam-clean.exe

    Then begin again, see what happens.
    Ok thanks I will begin again!

    Before I do Is there some way I could update the mbam data manually?, like copying an entire mbam folder from an updated uninfected machine???


    Do I need to download each time to ensure the files are not damaged?
    Would I be able to acheive the same end by keeping it all in a zip on the infected macine
    ...and just unapacking each time I need to use?

    The only way I can get files to/from the PC is via FileZilla. Is that ok/safe to use?

    Anyhoo, I spent all day on the following, could you peruse it as I have some questions?

    Ok now I have all the files I need in a zip file on the infected PC

    I prepare as follows...

    1. delete all the (possibly damaged) rkills on the desktop
    2. unpack the files from the zip to a temporary sub folder
    3. copy the rkills to the desktop
    4. Delete the temporary sub folder

    Am I right that this guarantees that I'm testing with undamaged files?

    Also during the tests I am keeping the Windows Task Manager open to keep an eye on the process list,
    please let me know if this interferes in any way?

    Results of my tests....

    First Test
    Step 1.
    I opened WiNlOgOn.exe
    waited for the log to show
    Tried to start mbam (by right-click + Open on my mbam desktop shortcut)
    mbam.exe stalled (shows in process list but not doing much, using

    Rkill Log:
    Rkill was run on 20/05/2012 at 17:12:30.
    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
    C:\Documents and Settings\Fred\Desktop\WiNlOgOn.exe
    C:\Documents and Settings\Fred\Desktop\eXplorer.exe
    C:\Documents and Settings\Fred\Desktop\rkill.com
    C:\Documents and Settings\Fred\Desktop\rkill.exe
    C:\Documents and Settings\Fred\Desktop\rkill.scr
    C:\Documents and Settings\Fred\Desktop\uSeRiNiT.exe

    Rkill completed on 20/05/2012 at 17:12:33.

    Step 2.
    I opened uSeRiNiT.exe
    waited for the log to show

    Rkill Log:
    Rkill was run on 20/05/2012 at 17:19:35.
    Operating System: Microsoft Windows XP
    Processes terminated by Rkill or while it was running:

    Rkill completed on 20/05/2012 at 17:20:08.


    All the icons on the desktop disappeared
    the Windows Start button and taskbar were visible but not responding to clicks

    I found that if I did a File/New Task (Run...) for "c:\" in the Task Manager then the desktop icons reappeared

    I did not try to start mbam at this point as mbam.exe was still showing in process list, but not doing much,
    and refused to be killed with an "End task"

    Step 3.
    So I opened rkill.scr
    waited for the log to show

    Rkill Log:
    Rkill was run on 20/05/2012 at 17:23:49.
    Operating System: Microsoft Windows XP
    Processes terminated by Rkill or while it was running:

    Rkill completed on 20/05/2012 at 17:24:46.


    mbam.exe was still showing in process list but...
    I though I'd try to start it again (by right-click + Open on my mbam desktop shortcut)

    bingo ! mbam loaded and showed a pop-up...


    Updating Malwarebytes Anti-Malware...
    Downloading v2012.05.20.04
    6,946.20 kb [100%]

    The progress bar reached 100% (I was getting hopefull)

    But then it complained that "mbam is already running" (from step 1)

    Step 4.
    I ran all the remaining rkills and tried to start mbam after each one completed,
    I ended up with 3 or 4 stalled mbams
    3 of them having downloaded the upgrades but not getting any further.

    So I rebooted and started again following Steps 1 to 3
    except I did not try to start mbam until I had run the 3rd rkill,
    but this simply stalled like before

  10. #10
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    Before I do Is there some way I could update the mbam data manually?, like copying an entire mbam folder from an updated uninfected machine???

    If you have an uninfected machine then Why are you using a zip file to store these files? That makes no sense whatsoever. Why are you using Filezilla? All you need is a clean flash drive. You can easily move files from a flash drive to a computer. No need for zip files. Unzipping a file may be all this infection needs to react. The act of unzipping IS a running process.

    A zipped file will not necessarily remain clean. Everytime you unzip it then it is open and the files inside can become infected. Many infections spread via zipped files.

    You were not told to put any files into a zip file. You were told to use the executable files, not from a zip file.

    I prepare as follows...
    1. delete all the (possibly damaged) rkills on the desktop
    2. unpack the files from the zip to a temporary sub folder
    3. copy the rkills to the desktop
    4. Delete the temporary sub folder
    Am I right that this guarantees that I'm testing with undamaged files? ABSOLUTELY NOT

    You are making this all the more complicated than it needs to be by doing things that are not listed in ANY steps...keeping the Task Manager open for one thing. That is a running file which may interfere. EVERYTHING except the ONE rkill should be closed. Nothing else should be open. None of those other rkill files should have been running.

    The instructions are very clear. The files don't go to any temporary folder. The file directly to the desktop, either via downloading using Safe Mode with Networking OR moving them from a flash drive to the infected computer.

    RKill only terminates RUNNING infection processes it doesn't remove them. It doesn't remove other files that are not running.

    You don't ever run all of them UNLESS ONE of them doesn't work. Then you move to the next ONE not all of them.

    If ONE works then the others don't need to be run.

    Once ONE works then you move forward to do MBA-M and not one held in a zip file but a brand new clean copy either downloaded via safe mode with networking to the infected computer OR by transferring the brand new CLEAN MBA-M install file (not the entire program) to the infected computer and installing it.

    If you really wanted assistance you would have followed ONLY the steps given, not anything else.

    By continually re-using the same "dirty" files is defeating everything. mba-m.exe should NOT have been running at all prior to rkill being run, it should not have been showing in the running processes. It should not have been started until rkill was finished and it DOES show you that it is finished. Then and only then should MBA-M have been downloaded and installed, NOT before.

    Your computer has an EXTREMELY dangerous infection on it as noted by the file found by MBA-M in your initial run and that is the Trojan.SpyEyes in the family of password stealers and remote access trojans.
    It is an infection that can enter the computer via a zip file, P2P file sharing, OR, visiting remote, crack and keygen sites. Obivously the removal of the ONE file by MBA-M did not remove the full infection, if it had you should not be having to still try to remove it.

    This infection injects code in legitimate files and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus program or likely other removal programs either. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer the infection remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Since you have not even followed the instructions as given I am sure this infection has taken an even deeper hold on your computer.
    Your best bet at this point is a reformat and reinstall of the system.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •